WCF - 安全协议(protocol)无法验证传入消息。

Question

我正在尝试创建一个 WCF 服务，该服务使用基于 SSL 的证书身份验证来创建企业对企业网关。我已经创建了一个 CA 和一个客户端证书，并将它们分别放在 Trusted root 和 personal 文件夹中。我已经设置了 SSL 路由，但我一直收到以下错误“安全协议(protocol)无法验证传入消息”。我不明白为什么。

下面是我的服务配置:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
        <compilation debug="true" targetFramework="4.0" />
    </system.web>
    <system.serviceModel>

        <services>
            <service name="B2BGateway.SSOBackChannel" behaviorConfiguration="B2B">
                <endpoint binding="wsHttpBinding"
                  bindingConfiguration="WSCertificateSecurity" 
                  contract="B2BGateway.Contracts.ISSOBackChannel" 
                  address="https://blah.com/SSOBackChannel.svc"></endpoint>
            </service>
        </services>

        <behaviors>
            <serviceBehaviors>
                <behavior name="B2B">

                    <serviceMetadata httpsGetEnabled="true" />
                    <serviceDebug includeExceptionDetailInFaults="true" />

                    <serviceCredentials>
                        <serviceCertificate />
                        <clientCertificate>
                            <authentication certificateValidationMode="PeerTrust" />
                        </clientCertificate>
                    </serviceCredentials>
                    <serviceAuthorization principalPermissionMode="None"></serviceAuthorization>
                </behavior>
            </serviceBehaviors>

            <endpointBehaviors>
                <behavior name="B2B">
                    <clientCredentials>
                        <clientCertificate findValue="2e2ecba0f33265085cc53cb53c0b00977aaa9e9e" storeName="My" storeLocation="LocalMachine" x509FindType="FindByThumbprint" />
                    </clientCredentials>
                </behavior>
            </endpointBehaviors>
        </behaviors>

        <bindings>
            <wsHttpBinding>
                <binding name="WSCertificateSecurity">
                    <security mode="TransportWithMessageCredential">
                        <transport clientCredentialType="None" proxyCredentialType="None" realm="" />
                        <message clientCredentialType="Certificate" />
                    </security>
                </binding>
            </wsHttpBinding>
        </bindings>

    </system.serviceModel>

    <system.diagnostics>
        <sources>
            <!-- See here for recommended diagnostics settings: http://msdn.microsoft.com/en-us/library/aa702726.aspx -->
            <source name="System.ServiceModel" switchValue="Warning,Information,ActivityTracing,Verbose" propagateActivity="true">
                <listeners>
                    <add name="traceListener" type="System.Diagnostics.XmlWriterTraceListener" initializeData="d:\logs\gah.svclog" />
                </listeners>
            </source>
        </sources>
    </system.diagnostics>
    <system.webServer>
        <directoryBrowse enabled="true" />
    </system.webServer>

</configuration>

客户端配置只是自动生成的代码:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>

    <system.serviceModel>
        <bindings>
            <wsHttpBinding>
                <binding name="WSHttpBinding_ISSOBackChannel" closeTimeout="00:01:00"
                    openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
                    bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
                    maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                    messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
                    allowCookies="false">
                    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                        maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                    <reliableSession ordered="true" inactivityTimeout="00:10:00"
                        enabled="false" />
                    <security mode="TransportWithMessageCredential">
                        <transport clientCredentialType="None" proxyCredentialType="None"
                            realm="" />
                        <message clientCredentialType="Certificate" negotiateServiceCredential="true"
                            algorithmSuite="Default" />
                    </security>
                </binding>
            </wsHttpBinding>
        </bindings>
        <client>
            <endpoint address="https://blah.com/SSOBackChannel.svc"
                binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_ISSOBackChannel"
                contract="SSOBackChannelService.ISSOBackChannel" name="WSHttpBinding_ISSOBackChannel" />
        </client>
    </system.serviceModel>
</configuration>

我写了一个单元测试来查看它是否工作，这就是我遇到错误的地方......

[TestMethod]
public void Should_Call_Service_As_Machine_Does_Have_x509Certificate()
{
SSOBackChannelClient service = new SSOBackChannelClient();;
service.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "2e2ecba0f33265085cc53cb53c0b00977aaa9e9e");
var result = service.CheckBackChannelToken("123456789");
}

如有任何帮助，我们将不胜感激!!乔希

Answer 1

您正在使用 wsHttpBinding 但您还没有指定它需要用来保护您的传输 channel 的证书。尝试指定它需要使用的证书。即对于 SSL

也尝试在您的服务上启用跟踪。参见 here如何启用跟踪。